Thursday, June 23, 2011

Firefox 3 Forensic Analysis

Accessing
information on the Internet leave variety of footprints such as
visited websites, viewed content, downloaded documents, etc. The
forensic information could be found in single files, directories,
local databases and Windows registry. Moreover, Windows operating
system maintains in registry a log of all local and wireless network
connections (including the MAC address of the switch/router) which
can further help forensic investigation to identify the physical
location of the suspect (Laureate Online Education B.V., 2009)
(Jonathan Risto, 2010).

According
to W3School (2011), the five most used web browsers are Firefox (42%)
followed by Chrome (25%) and Internet Explorer (25%), then Safari
(4%) and Opera (2.4%). As such, digital forensic investigator should
be knowledgeable in all four and geared up to perform extraction and
analysis of the data collected by these Internet Browsers. In most
cases, Internet browsers use local cache to store information to
increase access time, history of visited web sites, favourites, etc.
In some cases (Firefox), the stored information indicates if the
suspect typed the Uniform Resource Locator (URL) showing intent of
criminal or illegal activity. Furthermore, autocomplete history and
cookies can provide the forensic investigator on information typed
entered to the websites, or stored locally. In addition to that, the
increasing use of web chats such as Yahoo! Chat and Gmail Chat allow
provides potential access to additional information.

While
Internet Explorer and Firefox traditionally stored the information in
a file, from Firefox version 3 the information stored in the SQLite
databases. For example, bookmarks and browsing history are stored in
places.sqlite, passwords are stored in the key3.db and
signons.sqlite, autocomplete history in formhistory.sqlite and
cookies in cookies.sqlite (Mozilla.org, n.d.) Numerous tools are
available to perform forensic analysis of the information captured by
the Firefox, including f3e and a simpel SQLite command line utility.

After
curving the SQLite 3 database file (using dd
or foremost
commands), it could be accessed simply by using sqlite
command. All
Firefox SQLite 3 files, are in essense a database with multiple
tables. For example, places.sqlite contains the following tables:
moz_anno_attributes, moz_favicons, moz_keywords, moz_annos,
moz_historyvisits, moz_places, moz_bookmarks, moz_inputhistory,
moz_bookmarks_roots and moz_items_annos.

Since
SQLlite does not require authentication to work with the database,
SQL statements could be used to retrieve relevant information (case
specific). For
example, the following query will retrieve 20 most visited websites:

Firefox Anti-forensic Features

Firefox
includes a number of anti forensic features which could be either
invoked by the suspect, or automatically by the Firefox itself such
as removal of old history records after a period of 90 days.
Moreover, a suspect could use “Private Browsing” functionality or
manually invoke “Clear Recent History”. In these cases, Firefox
fills the space of each record with zeros, effectively wiping the
data.

Regardless,
although the content of the records is wiped, Pereira, M (n.d.) has
demonstrated that “when searching all disk, record vestiges was
found in unallocated space” either due to reallocated data by the
underlying OS or due to the “rollback” journal used by the SQLite
engine.